search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 65 forks source link

Cannot use oidc-authservice along with kubeflow #86

Closed edwardzjl closed 1 year ago

edwardzjl commented 2 years ago

Hi, I'm using oidc-authservice along with kubeflow, and encounterd too many redirections on authentication success.

kubeflow manifest version: 1.5 kubeflow version: 1.5 oidc-authservice image version: e236439

on image 28c59ef which was the default image from kubeflow-manifest repo, I have the following config and it works:

OIDC_PROVIDER=https://accounts.foobar.,com # which was my oidc provider
AUTHSERVICE_URL_PREFIX=/authservice/
OIDC_SCOPES=profile email groups # space separated
REDIRECT_URL=https://kubeflow.foobar.com/login/oidc
SKIP_AUTH_URI=/authserver /api /openapi # space separated
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db

But we are interested to switch to the newest image e236439 to try some new features like AUTH_HEADER and ID_TOKEN_HEADER

We adjusted the config according to README:

OIDC_PROVIDER=https://accounts.foobar.com
AUTHSERVICE_URL_PREFIX=/authservice/
OIDC_SCOPES=profilememail,groups # switched to comma-separared
REDIRECT_URL=https://kubeflow.foobar.com/login/oidc
SKIP_AUTH_URLS=/authserver,/api,/openapi # switched to comma-separared
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db

After applying the config and restart the service, we encounted too many redirections error and can never access kubeflow home page.

Is image e236439 collaborate with kubeflow now?

edwardzjl commented 2 years ago

After some digging I find that the oauth callback handler was not properly registered:

router.HandleFunc(path.Join(c.AuthserviceURLPrefix.Path, OIDCCallbackPath), s.callback).Methods(http.MethodGet)

The OIDCCallbackPath was hard coded to /oidc/callback, not respecting the environment variable REDIRECT_URL.

Thus if the user did not set the REDIRECT_URL to /oidc/callback, the callbback will never be handled, resulting an authentication loop.

And the fix should be simple:

router.HandleFunc(c.RedirectURL.Path, s.callback).Methods(http.MethodGet)

May I make a PR for this?

athamark commented 1 year ago

Hello @edwardzjl, thanks for highlighting this bug. Although we give the option to set a custom value to the REDIRECT_URL envvar, this configuration will not affect the AuthService behavior as one would expect. Indeed, the fix you are proposing resolves this problem and I will start reviewing it right away.

athamark commented 1 year ago

You are indeed right about the authentication loop. We have traced it in the step where the browser makes a request to the REDIRECT_URL to exchange the auth code with tokens. However, because Authservice does not handle the REDIRECT_URL (handles only the <AUTHSERVICE_URL_PREFIX>/oidc/callback path), and because REDIRECT_URL is not listed in the SKIP_AUTH_URLS , AuthService will attempt to re-authenticate the request and essentially restarts the authentication process.

Just one question, which entity reports back the Too many redirections... message?